Amazon Cloud Drive Security Concerns
What is the Amazon Cloud Drive?
Cloud Drive is Amazon’s new online storage service which provides management and retrieval of files you upload from any device that has access to your Amazon account. Amazon provides 5GB of storage for free, with upgrade options currently priced at $1/year per gigabyte. Amazon has bunded this launch with their Cloud Player, an app created for web browsers and Android powered phones that allows you to stream mp3s uploaded to your Cloud Drive account.
A free 5GB account will likely encourage less tech savvy users to sign up immediately, overlooking Amazon’s current account security practices.
Security Concerns
In its current state, I think the Cloud Drive is perfect for storing non-personal data, especially music and video. Since Amazon bundled the media player with the launch of Cloud Drive, it shows their initial intentions. However, Amazon does not clearly warn users against storing personal files. Throughout Amazon’s marketing copy, they describe their product as secure.
With Amazon’s current account security, anyone who has your email and password can access your Amazon account. Your initial reaction may be “DUH – If someone has my username and password, of course they can access my account.” However, when it comes to online accounts that provide sensitive information, a form of two-factor authentication should be a requirement.
What is two-factor authentication?
Two-factor authentication is what you experience with online banking, and Google’s recent changes to account security. Two-factor means two independent methods of confirming the authenticity of the person logging in. With most online banking services, entering your password is only the first step. If the bank does not recognize the computer you’re logging in from, they may require a second step of authentication. This second step is commonly done with a unique and temporary security code that is either sent to your email address on file, or as a text message to your mobile phone. The user then has to enter this unique code to confirm their identity.
Good Security Practices
The level of security needed is only as necessary as the type of information being secured. If you don’t plan on storing personal, sensitive information in your Cloud Drive, then Amazon’s lack of two-factor authentication shouldn’t be a concern. The same rule applies to any online service. Before storing or accessing information online, be it Facebook, email, or online storage, think about how sensitive the information is that is being stored. How devastating would it be if someone gained unauthorized access to the given account? Thinking through these questions is the first step in maintaining a secure online presence.
Additional Security Concerns
- JR Raphael shares his concerns regarding Amazon’s rights to your data, based on the Terms & Conditions.
Facebook
LinkedIn
6 Comments
Just Googled cloud drive and security and came across your blog. I set up an account yesterday and dumped some files up that I had on dropbox and was a little stunned with the lack of security on the cloud drive. I realize the authentication scheme could use two-factor like you are saying, but what I found was very troubling. If you are authenticated and open a jpeg stored on the Amazon cloud drive, it will display in your browser. So I copied to the URL from Chrome and pasted it into my IE address bar and the jpeg displayed even though I was not authenticated to the Amazon cloud drive. So I pasted it into Safari as well and again the image displayed. I realize the pretty random URL generated by cloud drive would be hard to guess, but it is security through obscurity. I agree with your assessment that the service is not ready for personal documents.
[...] Kyle Williams at Headstand Media discusses security concerns with Amazon’s new online storage service, Cloud Drive. [...]
Kyle:
Thanks for posting this. I was updating my review of Amazon Cloud Drive for my site and was looking for information on the security of this service as there is little to no information about it on the Amazon Cloud Drive pages themselves.
I knew this service was lacking in its security, but I didn’t realize it was this bad. I hope Amazon changes this but given the behemoth Amazon is, I doubt it will be changed anytime soon.
TravisVS
[...] Amazon.com, has been called out on its security measures – rather, the lack of them. As Kyle Williams discusses on the blog Headstand Media, Amazon points out the need to keep your email and password secure (of [...]
[...] Amazon.com, has been called out on its security measures – rather, the lack of them. As Kyle Williams discusses on the blog Headstand Media, Amazon points out the need to keep your email and password secure (of [...]
One can greatly enhance security where needed by employing the GNU Privacy Guard (GPG). The GPG encrypted file can just as easily sent to the cloud drive as the original and it will never display. There are Linux, Mac, and Windows versions of GPG and I have verified that it works nicely.